Unhacking a WordPress site » History » Version 2
Manu Mei-Singh, 02/14/2024 10:50 PM
1 | 1 | Jon Goldberg | h1. Unhacking a WordPress site |
---|---|---|---|
2 | |||
3 | This is an INCOMPLETE guide, but a good starting point! It doesn't cover removing malicious code inserted into the database, for instance. |
||
4 | |||
5 | WordPress gets hacked - a lot. And the correct solution is to restore your database and filesystem from backup. However, sometimes we deal with sites that weren't responsibly managed, and that's not an option. Here's a guide on what to do. |
||
6 | |||
7 | First - if it IS an option, delete your WordPress filesystem and restore from known good files. There's just too many ways to obfuscate a hack, so these approaches are necessarily incomplete. |
||
8 | |||
9 | * Search for suspicious PHP commands: |
||
10 | <pre> |
||
11 | grep -r gzuncompress * |
||
12 | grep -r base64_decode * |
||
13 | grep -r eval( * |
||
14 | grep -r str_rev * |
||
15 | </pre> |
||
16 | |||
17 | Not every instance of these commands is malicious! However, a hacked site will often use these, so look at what comes after them. If it's a long base64 block, that's bad news. |
||
18 | |||
19 | Note that there are MANY ways to obscure the commands above. Here are some example strings you can also search for |
||
20 | <pre> |
||
21 | "base" . "64_decode" |
||
22 | eval/* |
||
23 | </pre> |
||
24 | |||
25 | That last one's tricky. It found this command: @eval/*boguscomment*/('malicious_command')@. |
||
26 | |||
27 | |||
28 | |||
29 | * Check for this: |
||
30 | <pre> |
||
31 | <?php eval(get_option("\x72\x65\x6e\x64\x65\x72")); ?> |
||
32 | </pre> |
||
33 | |||
34 | That evaluates to: |
||
35 | <pre> |
||
36 | <?php eval(get_option("render")); ?> |
||
37 | </pre> |
||
38 | |||
39 | This indicates that there's malicious code in your database, and this minimal change allows the code to render. |
||
40 | |||
41 | Here's the commands I used to remove that from my entire codebase: |
||
42 | <pre> |
||
43 | find -name \*php -exec sed -i 's/<?php eval(get_option("\\x72\\x65\\x6e\\x64\\x65\\x72")); ?>//g' {} \; |
||
44 | find -name \*.html -exec sed -i 's/<?php eval(get_option("\\x72\\x65\\x6e\\x64\\x65\\x72")); ?>//g' {} \; |
||
45 | </pre> |
||
46 | |||
47 | * Look for function names you discovered with the last command and grep for those. I found commands like "ruburat" and "ukonabuh" which I then searched for. |
||
48 | * Use @git reset --hard HEAD@, if you're using git. |
||
49 | * Don't assume git will remove everything! I found php files in places not checked by git. E.g. in the .git folder, to wp-config.php and civicrm.settings.php, wp-content/uploads. Here are some commands to help you find php files where they don't belong (run from webroot): |
||
50 | <pre> |
||
51 | find .git -name \*php |
||
52 | find wp-content/uploads -name \*php |
||
53 | </pre> |
||
54 | 2 | Manu Mei-Singh | |
55 | |||
56 | From when Highlander was hacked: |
||
57 | |||
58 | |||
59 | _*If the site is hacked*_ (note that I wrote these fast and before my vacation... they should probably be updated and my guess is this process can be refined) |
||
60 | |||
61 | # Confirm that the site is hacked or being actively attacked |
||
62 | ** There maybe bogus data created or the site is no loading or something else |
||
63 | # If it being is compromised ssh into the site |
||
64 | # go to the web root directory |
||
65 | # vim .htaccess |
||
66 | # uncomment line 94 and change it with your ip so it should be something like |
||
67 | <pre>Require ip your.ip.goes.here another.ip.goes.here</pre> |
||
68 | # save it. and confirm that only the folks from those ips can access the site |
||
69 | # Login into the site with Manu's user name, password |
||
70 | # goto plugins |
||
71 | # activate Wordfence Security and run the malware scan |
||
72 | ## this may take some time to complete. |
||
73 | ## there will be some red herrings as well because of files not updated |
||
74 | # If you find something confirm that the it's a hacked file... |
||
75 | ## When you ssh into the root directory, run git status to see if any files have been changed. |
||
76 | ## If the same file pops up, the site might be compromised. |
||
77 | # If the site is indeed compromised. clean up up the bad files. |
||
78 | # Check the database for compromised data. |
||
79 | # First I check if there were new users created: |
||
80 | <pre> wp user list --role=administrator --format=table </pre> |
||
81 | ** The above command produces a table that you can review and look for out of the ordinary users with wired emails and recent user_registered time stamps |
||
82 | # If there bogus users, you'll need to delete them either through the wp cli or through web admin panel. |
||
83 | # Check for bogus post data |
||
84 | ** <pre> wp db query 'SELECT * FROM `wp1_posts` ORDER BY `wp1_posts`.`post_date_gmt` DESC LIMIT 10;' >> ~/last_post.txt </pre> |
||
85 | ** I use the above command to see if the last 10 post entires seem out of the ordinary. I then save it to a file |
||
86 | # If there is bogus data it's probably best to go into updraft plus and revert to the last back-up |
||
87 | # you may want to change passwords at this point for users. |
||
88 | # If that worked you can change the .htaccess file back by commenting out line 94 |
||
89 | # confirm that the site is working for all. |
||
90 | # monitor for a few days |